Scan your node for virusses and webshells with Yara

in Security

Due to memory issues and lack of usage, we replaced ClamAV with our own signature checker based on yara.

Introduction

Shop owners that want to comply to an ISO certification, are required to periodically check their content for virusses and malware.

Scanning your web content can be done using Yara.
This open source malware signature checker and file scanner is present on all Hypernodes.

Every night a scan will be performed. This scanner is in beta at this moment.
When the scanner hits a possible malware file, it will notify our Abuse department at Byte.
On the first working day after the detection, our customer will receive a e-mail from Byte with details.

The output of the daily scan we perform, is written to /var/log/mwscan.log. If the scanner hits on a file, please review the file. In most of the cases, the malware has been uploaded by a unsecure downloader folder or Magmi plugin. Try to find how the file has been uploaded. Replace the file with the originating file distributed by the developer or when it is not used, remove the file. If you are not sure about the possible malware, please contact abuse@byte.nl for more information.

If you find web shells, malafide files and injected PHP code that are yet not recognised by mwscan, please report them by filing an issue on the Github repository of this tool containing the files as described in the contribution documentation

Scan your files for known web shells and malware manually

When you run mwscan /data/web/public, it will recursively scan all files present in the directory.
Yara will first load all definitions found, and then start scanning:

[*] Using Files rules.
[*] Loading /usr/lib/python2.7/dist-packages/mwscan/data/all-confirmed.yar
[*] Loaded 96 yara rules and 40 whitelist entries

After finishing a scan, Yara will create a report with some information. If all is well, a single line is printed:

[*] Finished scanning 11131 files: 0 malware and 0 whitelisted.

Otherwise if files in your Magento installation match one of the definitions in Yara, the file name will be printed:

mwscan /data/web/public

[*] Using Files rules.
[*] Loading /usr/lib/python2.7/dist-packages/mwscan/data/all-confirmed.yar
[*] Loaded 96 yara rules and 40 whitelist entries
public/app/etc/modules/initversion.php: md5_023a80d10d10d911989e115b477e42b5
[*] Finished scanning 9867 files: 1 malware and 0 whitelisted.

A file is recognised by Yara, does not necessarily mean an infected file. You should always check the file by hand to make sure a file is infected or whether this is a false positive or indeed a malafide file.

Always check the output, even when you suspect a false positive!

Useful examples:

Scan a single file

mwscan /data/web/magento2/pub/x.php

Check all files silently and print a report afterwards

mwscan -q /data/web/public

Check all files, not just the ones containing PHP code

mwscan --deep /data/web/public

To view all available options for mwscan, use the command flag mwscan --help

Scan all files using the most recent (experimental) signatures

To make use of the newest malware signatures, use the -s byte argument. This will use the newest, still experimental signatures.
These signatures may result in some false positives, but uses the latest malware signatures we included as well.

mwscan -s byte /data/web/public

Scan your files from cron

To scan your files daily from the crontab and send the output to your email address, all you need to do is add the mwscanner to your crontab file:

10 4 * * * flock -n ~/.mwscan.lock mwscan --ruleset byte /data/web/public --quiet | ts | tee -a /data/web/mwscan.log | ifne mail -s "Possible malware found at $(hostname)" -a 'From: Malware Scanner <mwscan@example.com>;' your.email@example.com

2